WordPress miniOrange Plugins Critical Vulnerability - 20240319002¶
Overview¶
The WA SOC has become aware of a vulnerability in the Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange). Successful exploitation of the vulnerability could allow privilege escalation.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
|---|---|---|---|---|---|
| CVE-2024-2172 | Critical | 9.8 | Malware Scanner All previous versions including 4.7.2 |
Vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function | March 13, 2024 |
| CVE-2024-2172 | Critical | 9.8 | Web Application Firewall All previous versions including 2.1.1 |
Vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function | March 13, 2024 |
What has been observed?¶
There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):
| Product(s) | Remediation |
|---|---|
| Malware Scanner \<= 4.7.2 | No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement. |
| Web Application Firewall \<= 2.1.1 | No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement. |